On Jul 4, 2012, at 8:18 PM, Richard Jones <[email protected]> wrote:
> On 23 June 2012 10:21, Aaron Meurer <[email protected]> wrote: >> There's also the issue that every >> time we put out a release candidate for a new version, pip starts >> installing that, when I would prefer it to only install stable final >> releases. It's also, as I noted on the other discussion list, a bit >> of a security risk. >> >> According to the pip guys (namely, Carl Meyer), this is not so easy to >> change from their end because of backwards compatibility issues. I >> suggested that such a flag be added to PyPI, and they told me that if >> it were, they would accept a patch supporting it in pip. This would >> make it much less of a headache for me as a package maintainer, >> because I could know that pip will always install exactly what I want. >> It could be off by default to enable backwards compatibility. > > Just to be clear, what's being proposed is some way to flag a release > on PyPI as being "stable" (or some other release as "unstable")? Then > a tool such as pip could prefer a stable release over an unstable > release while scraping download links from PyPI and all related pages? > How would this flag be presented to pip? How would a package > maintainer manage it? I think the cleanest way would be to just have a way to tell pip to only install the files that are uploaded to PyPI (alternately, files from a direct download link). In other words, I want to force pip/easy_install to *not* do any link scraping. The way I visualize it is somewhere in the PyPI package page, there is a checkbox, off by default, that says something like, "PyPI only." and the descriptor text would be something like, "This will prevent tools like pip and easy_install from link scraping to find the most recent version of this package. Only the uploaded file for the most recent version on PyPI will be downloaded by these tools, even if a newer version might be found on another website. This is useful if you want to prevent pip/easy_install from downloading incorrect files that it thinks are newer, or if you want it to only download a stable version, but remember that if you check this, it is up to you to update the package here on PyPI when new versions are released or pip/easy_install will never install them." I think would have to be a package-wide setting (unlike most settings, which are version-wide) because you're telling it to always use the newest version on PyPI, regardless of what that is. > > Just a thought on the version number precedence rules: would using > "smypy-rc1-0.7.1" rather than "sympy-0.7.1-rc1" (ie. your version is > 'rc1-0.7.1" instead of "0.7.1-rc1") work? It's a hack, I know, but I > had another look at the easy_install docs page and it's not clear to > me whether that would work. I think it might because it uses the same > basic work-around as the sympy-docs-html file. Yes, I know I could hack my way to it, but I'd really like to be able to just check a box and forget about it. And by the way, 0.7.1-rc1 actually *is* newer than 0.7.0. Another possibility if this flag is implemented is an optional flag to pip that would tell it to ignore it, for those who really do want the newest version (and know the risks). I have no qualms against people being able to pip install release candidates, I just don't want it to happen by default. Aaron Meurer > > > Richard _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
